b"AUDIT OF DATA INTEGRITY CONTROLS FOR SELECTED DIVISION OF\n RESOLUTIONS AND RECEIVERSHIPS (DRR) AUTOMATED SYSTEMS\n\n\n                    Audit Report No. 99-047\n                      December 21, 1999\n\n\n\n\n         AUDIT OF DATA INTEGRITY CONTROLS FOR\n          SELECTED DIVISION OF RESOLUTIONS AND\n         RECEIVERSHIPS (DRR) AUTOMATED SYSTEM\n\n\n\n\n                   OFFICE OF AUDITS\n\n            OFFICE OF INSPECTOR GENERAL\n\x0c                       TABLE OF CONTENTS\n\n\n\nBACKGROUND                                           1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                   3\n\nRESULTS OF AUDIT                                     4\n\nMONITORING DATA INTEGRITY IN DRR SYSTEMS OF RECORD   4\n\n     Recommendations                                 6\n\nBETTER DEFINITION OF DATA STEWARD RESPONSIBILITIES   6\n\n     Recommendations                                 7\n\nERROR CORRECTION AND PREVENTION STRATEGIES           7\n\n     Recommendation                                  8\n\nCORPORATION COMMENTS AND OIG EVALUATION              8\n\nAPPENDIX I \xe2\x80\x93 MEMORANDUM; CORPORATION COMMENTS        10\n\nAPPENDIX II \xe2\x80\x93 TABLE: MANAGEMENT RESPONSES TO\nRECOMMENDATIONS                                      12\n\x0cFederal Deposit Insurance Corporation                                                          Office of Audits\nWashington, D.C. 20434                                                             Office of Inspector General\n\n\n   DATE:                         December 21, 1999\n\n   MEMORANDUM TO:                Mitchell Glassman, Acting Director\n                                 Division of Resolutions and Receiverships\n\n\n\n\n   FROM:                         Steven A. Switzer\n                                 Deputy Inspector General\n\n   SUBJECT:                      Report Entitled Audit of Data Integrity Controls for Selected\n                                 Division of Resolutions and Receiverships (DRR) Automated\n                                 Systems (Audit Report No. 99-047)\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed a review of data integrity controls for selected Division of Resolutions and\n   Receiverships (DRR) automated systems. Our review focused on data integrity controls for\n   systems used by DRR to manage the assets of failed financial institutions including owned real\n   estate, loans, and subsidiaries.\n\n   Significant declines in assets under the FDIC\xe2\x80\x99s control over the past several years coupled with\n   new systems development initiatives that DRR has underway and planned should enhance DRR\xe2\x80\x99s\n   ability to maintain high levels of data integrity. However, until new systems initiatives are fully\n   implemented and their effect on data integrity can be measured, interim controls can assist DRR in\n   monitoring and improving data integrity for DRR systems of record. Further, the experience that\n   DRR obtained during past data integrity efforts can assist it in developing and implementing its\n   new initiatives. Our report includes five recommendations that are designed to enhance data\n   integrity controls in critical DRR automated systems of record.\n\n\n   BACKGROUND\n\n   DRR is responsible for the management and disposition of assets acquired from failed insured\n   financial institutions. As of May 31, 1999, DRR was managing assets in liquidation valued at\n   $1.7 billion. DRR projected that the value of these assets would be reduced to $1.3 billion by\n   December 31, 1999. While assets valued at $1.3 billion are significant, they are substantially less\n   than the $18 billion in assets that DRR managed as of January 1, 1996. Asset levels have been\n   reduced significantly in each of the past 4 years. This can be attributed in large part to DRR\xe2\x80\x99s\n   effective disposal program and to the health of the banking industry, which has resulted in very\n   few assets being added to DRR\xe2\x80\x99s inventory of assets in liquidation.\n\n   DRR relies on a variety of application systems to support its operations. Systems supporting\n   DRR functions include the National Processing System (NPS), Credit Notation System (CNS),\n   Owned Real Estate System (ORES), and the Subsidiaries Management Information Network\n\x0c(SIMAN). NPS, a mainframe-based system, is jointly owned by DRR and the Division of Finance\n(DOF) and is the system of record for financial information pertaining to assets of failed\ninstitutions controlled and serviced by the FDIC.\n\nCNS, ORES, and SIMAN are network-based systems that are the primary systems that DRR\nasset account officers use to manage loans, owned real estate, and subsidiaries, respectively.\nThese three systems are the systems of record for non-financial data that resides in them. To the\nextent that non-financial data that resides in the DRR systems CNS, ORE, and SIMAN, also\nresides in NPS, the three referenced DRR systems are the systems of record for that data. The\nsame can be said for financial data that resides in NPS and the three referenced DRR systems.\nThat is, NPS is the system of record for the financial data that resides in both systems.\n\nDRR issued Data Integrity Directive 4360.12 on February 25, 1994 to ensure commitment to\nmaintaining accurate and reliable data in its asset liquidation systems. The directive\xe2\x80\x99s primary\nfocus was to establish quarterly data verification procedures through the use of a software\nprogram called the Data Integrity Verification and Electronic Reporting System (DIVERS).\nDIVERS was used to choose a representative sample of assets from NPS for data verification\ntests. NPS was identified as the financial and non-financial system of record for all internally\nmanaged assets in liquidation. However, over a period of time other subsidiary systems, such as\nCNS, ORE, and SIMAN were used extensively by DRR account officers to perform their day-to-\nday management activities.\n\nDIVERS data integrity evaluations performed on NPS data between September 1996 and June\n1998 identified error rates for critical data elements that consistently exceeded established\ntolerance levels. Between February 1994 and October 1997, DRR field offices were required to\ndevelop corrective action plans if overall error rates exceeded 5 percent. DRR field offices were\nconsistently unable to achieve staying under the 5 percent error threshold. In October 1997, DRR\nincreased the error threshold requiring an action plan for error rates of 10 percent or greater.\nManagement stated that they believed it was not economically practical or feasible to continue\nwith the 5 percent error threshold.\n\nDRR drafted a briefing paper on April 21, 1998 that recommended terminating the DIVERS\nprogram. The primary reason presented in the referenced DRR briefing paper, was that network-\nbased systems had replaced NPS as the systems of record for non-financial data and were\nsupported by independent data verifications. In addition, DRR management officials stated that\nDIVERS was not year 2000 compliant. Their April 21, 1998 memorandum recommended that\nthe DIVERS data integrity program be phased out and that data verification responsibilities be re-\nevaluated and redesigned to work with the new systems environment.\n\nSIMAN was designated as the system of record for non-financial data relating to subsidiaries in\nMarch 1998. CNS and ORE were also designated as the systems of record for non-financial data\nrelating to loans and owned real estate, although there was no formal notification that apprised\nstaff of that situation. System interface routines between NPS, and CNS and ORE were changed\nin 1998 to compare data in NPS with data that resided in CNS and ORE. Prior to CNS and ORE\nbecoming the systems of record for non-financial data, the interface compared data in CNS and\n\n\n                                                2\n\x0cORE with data in NPS.\n\nOn March 19, 1999, DRR\xe2\x80\x99s Data Integrity Advisory Group drafted a memorandum\nrecommending a self-certifying program for DRR systems of record. The group also\nrecommended that data stewards and DRR\xe2\x80\x99s Information Systems Section be tasked with\ndeveloping and implementing data integrity systems, and that data stewards and users be assigned\nresponsibility for program oversight. The self-certifying program that was designed to replace\nthe DIVERS program had not been implemented as of October 19, 1999.\n\nFinally, in a related vein, the OIG\xe2\x80\x99s Atlanta office was performing an audit, entitled Audit of the\nNortheast Service Center\xe2\x80\x99s (NESC) Subsidiary Inventory. The objective of that review was to\ndetermine whether NESC had a complete inventory of subsidiaries belonging to failed financial\ninstitutions in its geographic area of responsibility. Accordingly, that review assessed whether the\nNESC\xe2\x80\x99s SIMAN system contained a complete inventory of subsidiaries. A report is scheduled for\nissuance in January 2000.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objective of the audit was to determine the adequacy of the DRR data integrity controls for\nselected DRR application systems. To accomplish our audit objective, we interviewed\nheadquarters DIRM and DRR personnel, and DRR and DOF field office personnel in Hartford,\nConnecticut, and Dallas, Texas.\n\nIn addition, to determine the effectiveness of DRR\xe2\x80\x99s error correction strategies, we reviewed\nDIVERS Certification Reports and resulting error correction strategies for NPS data elements\nfrom four offices between the periods September 1996 through June 1998. We also reviewed\nDRR directives related to the DIVERS program and overall data integrity. We reviewed the\nMarch 29, 1999 functional requirement documents for CNS, data input and processing procedure\nmanuals for DRR systems of record, and DRR survey results relating to the proposed self-\ncertification program.\n\nFurther, we reviewed the May 29, 1999 functional requirements document for the Sync and Sync\ncompare systems, which electronically compare non-financial data from CNS and ORE to NPS.\nWhen differences are identified, an exception report is generated, and DRR account officers are\nrequired to research differences and make the appropriate corrections.\n\nWe also reviewed DRR\xe2\x80\x99s 1999 Annual Performance Plan and noted that one of the objectives\nlisted was to ensure asset inventory data was accurate. DRR established a target that stated the\nquality of inventory data will continue through the data integrity project.\n\nInitially, our review was also intended to evaluate the reconciliation process that takes place each\nmonth between the FDIC\xe2\x80\x99s Control Totals Module (CTM) and the Central Loan Database (CLD).\n CTM supports the FDIC\xe2\x80\x99s general ledger system, and CLD is an asset inventory system for all\nloans. Each month, the contractor that maintains CLD reconciles CLD and CTM differences\n\n\n                                                 3\n\x0cpertaining to asset counts and amounts. After a preliminary evaluation of the reconciliation\nprocess, we decided to delete this objective from our review.\n\nOur decision was based on several factors including the fact that the inventory of loans maintained\nin CLD had been reduced significantly and further reductions were expected. In addition, DRR\nand the CLD contractor were effectively reconciling CTM and CLD data, and many of the more\nsignificant reconciling items were due to data entry timing differences for CTM and CLD.\nFinally, planned and in-process system development was intended to further facilitate the\nreconciliation process.\n\nOur audit work relating to data input, processing, and interface controls was limited to the NPS,\nCNS, ORES, and SIMAN automated systems. The audit was conducted in accordance with\ngenerally accepted government auditing standards between May 1998 and July 1999.\n\n\nRESULTS OF AUDIT\n\nDRR monitoring of NPS data integrity historically identified error rates that exceeded DRR\xe2\x80\x99s\nacceptable tolerance levels. Management discontinued its practice of using the DIVERS system\nfor routinely measuring data accuracy and planned an alternative means of monitoring data\naccuracy using data stewards and a self-certification procedure. However, this approach did not\nprovide adequate assurance that data accuracy tests were consistently applied or that the results\nwere reliable.\n\nTo better ensure data integrity, DRR needs to establish effective controls, including detailed data\nintegrity criteria for NPS and other critical DRR systems of record. DRR can also improve data\nintegrity by developing and communicating a more comprehensive definition of data steward\nresponsibilities and ensuring effective oversight for the data steward self-certification process. In\naddition, implementing better error prevention and correction strategies would serve to improve\nDRR data.\n\n\nMONITORING DATA INTEGRITY IN DRR SYSTEMS OF RECORD\n\nOur audit identified opportunities for DRR to improve data integrity controls for data that reside\nin its systems of record and to develop standardized data integrity policies and procedures that\nprovide detailed criteria to be used when measuring data integrity.\n\nDRR did not have an effective process in place to measure data accuracy or correct errors in its\nsystems of record. DRR relied on the DIVERS program to evaluate NPS data integrity on a\nquarterly basis until the second quarter of 1998 when DIVERS use was discontinued.\nManagement discontinued the use of DIVERS for routinely measuring data accuracy in NPS and\nplanned an alternative means of monitoring data accuracy in NPS and DRR systems of record\nusing data stewards and a self-certification procedure. However, this approach did not provide\n\n\n\n\n                                                  4\n\x0cadequate assurance that data accuracy tests were consistently applied or that the results were\nreliable.\n\nDRR performed a comprehensive data integrity survey in April 1998 that determined the DIVERS\ndata verification program could be replaced by a program that allows a data steward and system\nusers to certify the accuracy of their system\xe2\x80\x99s data. However, DRR had not developed or\nimplemented policy or standard procedures for the program. Further, DRR\xe2\x80\x99s Dallas and Hartford\noffices differed in their design and implementation of data verification controls, and neither office\nhad developed procedures requiring periodic review and verification of CNS data or assigned a\ndata steward to oversee data verification procedures.\n\nThe ORE data steward in Dallas had implemented a comprehensive data verification process that\nincluded quarterly matching of system data to source documents and automated ticklers to ensure\nthat dynamic data elements were reviewed and modified when necessary. However, Hartford\nORE managers had not developed a formal system of data verification.\n\nDRR plans to better address its long-term data integrity needs through a system currently being\ndeveloped. DRR\xe2\x80\x99s Consolidated Asset Systems Modernization Program (CAMP) is designed to\nprovide a suite of systems that can more effectively and efficiently support DRR\xe2\x80\x99s business needs.\n Phase I of the CAMP project involves the definition, development, and implementation of the\nNational Asset Inventory System (NAIS), the central application that will bring DRR\xe2\x80\x99s various\ndatabases into a single data environment and interface. Phase II of CAMP involves re-engineering\nthe current Clipper systems, including CNS and ORE, into a Windows-based relational database\nenvironment. The common elements in the systems will be combined into common database\ntables to reduce data feeds and redundant data entry.\n\nFull implementation of CAMP should provide DRR the ability to significantly improve data\nintegrity. However, the initial phases of CAMP are not expected to be complete until March 31,\n2000. Until CAMP is fully implemented and its effect on data integrity can be measured, DRR\nneeds to develop interim controls to ensure that data accuracy is effectively monitored and\nmaintained.\n\nThe SIMAN system that is used to manage subsidiaries was not included within the scope of the\nCAMP project. Accordingly, there is a need for an effective short and long-term data monitoring\nand correction program for that system also.\n\nConsidering the recent downsizing and the limited resources available to support effective data\nintegrity controls, we believe that management should consider placing greater emphasis on data\nverification procedures for dynamic data elements and large-dollar assets. Dynamic data elements\nare those that are subject to more frequent modification, such as \xe2\x80\x9cappraisals\xe2\x80\x9d and \xe2\x80\x9cforeclosure\xe2\x80\x9d\ndata for CNS, and \xe2\x80\x9cbroker listings\xe2\x80\x9d and \xe2\x80\x9cproperty managers\xe2\x80\x9d for ORE. By concentrating on data\nthat most impacts its operations, DRR can better focus its resources.\n\n\n\n\n                                                 5\n\x0cRecommendations\n\nWe recommend that the Acting Director, Division of Resolutions and Receiverships:\n\n(1)    Strengthen data integrity controls by establishing detailed policies and procedures that\n       include criteria for monitoring data accuracy for each critical DRR system of record and\n       ensure they are documented and applied consistently in all field offices.\n\n(2)    Develop interim data integrity processes that focus on dynamic data elements and large-\n       dollar assets until CAMP is fully implemented.\n\n\nBETTER DEFINITION OF DATA STEWARD RESPONSIBILITIES\n\nDRR performed a comprehensive survey in April 1998 that determined the DIVERS data\nverification program could be replaced by a program that allows a data steward and system users\nto certify the adequacy of their system\xe2\x80\x99s data. However, to better ensure data integrity, DRR\nneeds to establish effective controls, including detailed data integrity criteria for NPS and other\ncritical DRR systems of record. DRR can also improve data integrity by developing and\ncommunicating a more comprehensive definition of data steward responsibilities and ensuring\neffective oversight for the data steward self-certification process.\n\nDRR data stewards did not know they had been assigned the title and duties or were unclear as to\nthe extent of their data integrity responsibilities. The Internal Review managers for both the\nHartford and Dallas offices stated that data stewards within their offices did not clearly\nunderstand the extent of their data integrity responsibilities, and some did not know they had been\nassigned the title.\n\nThe CNS data steward in Dallas believed his responsibilities were limited to approving system\naccess and recommending automated system edits. The DIRM manager responsible for\noverseeing the FDIC data steward program also indicated that the program needs to be revised to\nresolve this confusion. In addition, DRR Internal Review officials confirmed that the data\nsteward program needs strengthening. They determined that 6 out of 10 DRR systems evaluated\nwere not adequately supported by data stewards.\n\nDIRM issued Circular 1301.6 on June 5, 1996 establishing the FDIC\xe2\x80\x99s data integrity program.\nThat Circular states that data stewards are responsible for data quality initiatives and quality\nstandards. In addition, DIRM later issued a data steward handbook that further describes a data\nsteward\xe2\x80\x99s roles and responsibilities at a high level. Neither the circular nor handbook provide\ndetailed criteria or guidelines regarding frequency of testing or what constitutes an unacceptable\nerror rate. These documents also do not prescribe what actions should be taken if unacceptable\nerror rates are obtained or provide guidance on testing methodologies to be employed.\n\nAdditionally, the data integrity program did not provide for periodic independent testing of data\nto validate the results of tests and error correction strategies. In our opinion, this is an area where\nDRR\xe2\x80\x99s Internal Review group could independently review the accuracy of data and evaluate the\n\n\n                                                  6\n\x0ceffectiveness of the program. While account officers and program officials can self-certify data\nbased upon testing under the guidance of data stewards, the data validation and correction\nprocess could be enhanced by periodic testing by an independent organization such as DRR\xe2\x80\x99s\nInternal Review group.\n\nWithout more detailed criteria on the roles and responsibilities of data stewards, the reliability of\ndata test results is questionable, as the methodologies used to evaluate and test the accuracy of\ndata are not uniform and consistent. Similarly, absent detailed procedures that prescribe the\nactions that are required when error rates are exceeded, there is no assurance that effective error\ncorrection strategies will be implemented and that data accuracy will improve.\n\nRecommendations\n\nWe recommend that the Acting Director, Division of Resolutions and Receiverships:\n\n(3)    More clearly define the roles and responsibilities of data stewards who will support data\n       integrity for DRR systems of record.\n\n(4)    Ensure that periodic, independent data integrity testing is performed by DRR\xe2\x80\x99s Office of\n       Internal Review to validate the results of any self-certification programs employed.\n\n\nERROR CORRECTION AND PREVENTION STRATEGIES\n\nWhile DRR needs to implement an effective data integrity monitoring program for its critical\nsystems of record, it also needs to implement more effective error correction and prevention\nstrategies. Improvements in these areas could reduce the error rates that field offices experienced\nwhen data integrity was monitored for NPS data.\n\nDIVERS data integrity evaluations performed on NPS data between September 1996 through\nJune 1998 identified error rates for critical data elements that consistently exceeded established\ntolerance levels. Between February 1994 and October 1997, DRR field offices were required to\ndevelop corrective action plans if the overall error rate for data tested exceeded 5 percent.\nDespite evidence that the overall 5 percent threshold was consistently exceeded, DRR revised its\nprocedures in October 1997 and increased the threshold at which a corrective action plan was\nrequired to 10 percent.\n\nDRR Data Integrity Directive 4360.12 required DRR management to develop error correction\nstrategies when the quarterly DIVERS reports indicated the office\xe2\x80\x99s overall error rate to be over\n5 percent. The Directive\xe2\x80\x99s intent was not only to identify and correct data errors but to assist\nmanagement in identifying systemic weaknesses that might have contributed to errors.\n\nDRR Internal Review officials in Dallas and Hartford indicated that one reason the error rates\nremained high was because account officers limited their error correction efforts to those assets\nthat were sampled and for which errors were found. Under the DIVERS program, DRR did not\n\n\n                                                  7\n\x0cdevelop procedures that required account officers to review their complete asset portfolio for\nsimilar errors or to determine whether errors were the result of systemic causes. We noted two\ninstances where field offices stated in their action plans that they planned to do a scrub of the data\nthat exceeded acceptable error thresholds. However, error rates generally remained the same or\nincreased in field offices where DRR error thresholds were exceeded. Management stated that it\nwas in the process of developing uniform criteria for corrective action plans when the decision\nwas made to terminate the DIVERS program.\n\nWe also noted that some reported errors were due to needed corrections in testing methodology\nrather than procedural or system problems. For example, we noted that DIVERS data accuracy\nevaluations sometimes recorded multiple errors that were attributable to one inaccurate data\nelement. This occurred because one data element impacted other data elements for the same\nasset. For example, if the interest rate was inaccurate, the payoff amount was also inaccurate. In\na similar fashion, appraisal value could affect fair market value.\n\nIn addition, we noted where data was classified as inaccurate because there was no supporting\ndocumentation, even though the data may have been accurate. Additionally, some reported errors\nwere based on differing interpretations of asset values rather than clear data errors. Missing data\nwas also recorded as inaccurate data.\n\nThe reliability and accuracy of data maintained on DRR\xe2\x80\x99s systems of record is critical to the\nsuccessful liquidation and sales efforts used by DRR to dispose of assets acquired from failed\nfinancial institutions. The FDIC relies upon this information to make prudent business decisions\nin the best interests of the Corporation and the receivership estate. When error rates for sampled\ndata elements exceed acceptable thresholds, management should require more comprehensive\nerror correction strategies for assets that were not part of the sampled universe. For example,\nprocedures could require a complete data scrub of all assets, or subsets of asset groups, or a more\nlimited scrub that encompassed all assets with a value in excess of a specified dollar threshold or\nother criteria. In addition, if errors are of a type that could be prevented through automated edits,\nsystem changes should be considered to incorporate the appropriate automated edits.\n\nRecommendation\n\nWe recommend that the Acting Director, Division of Resolutions and Receiverships:\n\n(5)    Ensure that effective long-term error correction strategies are implemented when error\n       rates exceed established tolerance levels, including identifying systemic causes of errors.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn December 15, 1999, the Acting Director, DRR, provided a written response to the draft\nreport. Management agreed with each of the report\xe2\x80\x99s recommendations and proposed actions\nthat satisfied the intent of each recommendation. A summary of management\xe2\x80\x99s responses to the\nrecommendations contained in this report follows.\n\n\n                                                  8\n\x0cManagement agreed with recommendations 1 and 2 and stated that a DRR task force would be\nappointed to establish an interim Data Quality program. Management also stated that it would\nimplement a data integrity process that would focus on dynamic data elements and large dollar\nassets, or some other approach that meets the intent of our recommendation.\n\nManagement agreed with recommendations 3 and 4. Regarding recommendation 3, it stated that\nit would develop an interim program that would include defining the roles and responsibilities for\ndata stewards or their functional equivalent. Concerning recommendation 4, management stated\nthat DRR\xe2\x80\x99s Office of Internal Review would implement independent testing that will be a part of\nDRR\xe2\x80\x99s interim data integrity program.\n\nFinally, management agreed with recommendation 5 and stated that it would establish a process to\nidentify causes of excessive systemic errors.\n\nThe Corporation\xe2\x80\x99s response to the draft report provides the elements necessary for management\ndecisions on each of the report\xe2\x80\x99s recommendations. Accordingly, no further response to this report is\nrequired.\n\n\n\n\n                                                  9\n\x0c                                                                                                  APPENDIX I\n\nFederal Deposit Insurance Corporation\n550 Seventeenth Street, N.W.                                                                Office of the Director\nWashington, DC 20429                                                  Division of Resolutions and Receiverships\n\n\n                                                            December 15, 1999\n\n\n\n\n     MEMORANDUM TO:                David H. Loewenstein\n                                   Assistant Inspector General\n\n\n     FROM:                         Mitchell L. Glassman, Acting Director\n                                   Division of Resolutions and Receiverships\n\n     SUBJECT:                      OIG Draft Report Entitled Audit of Data Integrity\n                                   Control for Selected Division of Resolutions and\n                                   Receiverships (DRR) Automated Systems\n\n\n     On October 29, 1999 the Office of the Inspector General (OIG) issued its draft report on\n     the results of an audit of data integrity controls for selected DRR automated systems\n     (Audit Number 98-902).\n\n     Following are management's responses to the areas questioned in the audit report.\n\n     1. Strengthen data integrity controls by establishing detailed policies and procedures that\n        include criteria for monitoring accuracy for each critical DRR system of record and\n        ensure they are documented and applied consistently in all field offices.\n\n     Management agrees with the OIG's recommendation. The Acting Director, DRR has\n     designated Co-Chairs for a task force to establish an interim Data Quality program. The\n     Co-Chairs of the task force are the Associate Director (Field Operations Branch) and the\n     Associate Director (Internal Review). The task force will include staff drawn from the\n     major business program areas, Information Services Section (ISS) and Internal Review.\n     In addition, DRR will contact the Director, Office of Internal Control Management and\n     the Office of Inspector General to solicit their participation in the Task Force.\n\n     Initially, the Task Force will identify the primary business systems relied upon by DRR.\n     The Task Force will also develop interim policies and procedures for implementing a data\n     quality program. A preliminary plan will be in place by the end of the 1st quarter 2000.\n\n     DRR Internal Review, in conjunction with the work of the Task Force, will conduct\n     targeted data testing. The objective of the testing will be to provide the Task Force with\n     preliminary information on the current quality of the relevant data.\n\n\n\n                                                 10\n\x0cDavid H. Loewenstein                          -2-                      December 15, 1999\n\n\n2. Develop interim data integrity processes that focus on dynamic data elements and\n   large dollar assets until CAMP is fully implemented.\n\nManagement agrees with the OIG\xe2\x80\x99s recommendation. The DRR task force will adopt this\nrecommendation or other approach which is acceptable to the OIG. The task force will\nestablish an interim approach by the end of the 1St quarter 2000.\n\n3. More clearly define the roles and responsibilities of data stewards who will support\n   data integrity for DRR systems of record.\n\nManagement agrees with the recommendation; however, DRR notes that the FDIC is\ncurrently involved in a Corporate effort to re-develop its Data Stewardship program.\nPending the finalization of the Corporate policy related to Data Stewardship, DRR\nwill develop an interim program which will include defining the roles and\nresponsibilities for Data Stewards or their functional equivalent. The interim\nimplementation plan will be completed by the end of the 1st quarter 2000.\n\n4. Ensure that periodic, independent data integrity testing is performed by DRR\xe2\x80\x99s\n   Office of Internal Review to validate the results of any self-certification programs\n   employed.\n\nManagement agrees with the OIG that independent testing be performed by Internal\nReview. IR will implement independent testing that will be a part of the interim\nplan. The IR independent testing program will be completed by the end of the 2nd\nquarter 2000.\n\n5. Ensure that effective long-term error correction strategies are implemented when error\n   rates exceed established tolerance levels, including identifying systemic causes of\n   errors.\n\nManagement agrees with the OIG\xe2\x80\x99s recommendation. DRR will establish a process to\nidentify causes of excessive systemic errors. The process will focus on cost-effective\nremedies. If excessive errors are identified, DRR will develop a cost-effective, corrective\naction plan to correct the cause of the error.\n\n\n\n\n                                             11\n\x0c                                                                                                                                            APPENDIX II\n\n                                          MANAGEMENT RESPONSES TO RECOMMENDATIONS\nThe Inspector General Act of 1978, as amended, requires the OIG to report on the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance, several\nconditions are necessary. First, the response must describe for each recommendation\n     \xe2\x80\xa2 the specific corrective actions already taken, if applicable;\n     \xe2\x80\xa2 corrective actions to be taken together with the expected completion dates for their implementation; and\n     \xe2\x80\xa2 documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons for any\ndisagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions. The\ninformation for management decisions is based on management's written response to our report.\n\n                                                                                                     Expected     Documentation That               Management\n   Rec.                                                                                             Completion    Will Confirm Final    Monetary    Decision:\n  Number             Corrective Action: Taken or Planned / Status                                      Date              Action         Benefits    Yes or No\n             Management agreed with the finding and recommendation.                                  3/31/00     Written policies and    N/A          Yes\n     1\n                                                                                                                 procedures, and\n             The Acting Director, DRR has designated Co-Chairs for a task force to establish an                  correspondence\n             interim Data Quality program. The task force will include staff drawn from the                      implementing a data\n             major business program areas, Information Services Section (ISS), and Internal                      quality program.\n             Review (IR). In addition, DRR will contact the Director, OICM, and the OIG to\n             solicit their participation in the task force.\n\n             Initially, the task force will identify the primary business systems relied upon by\n             DRR. The task force will also develop interim policies and procedures for\n             implementing a data quality program.\n\n             DRR\xe2\x80\x99s IR, in conjunction with the work of the task force, will conduct targeted data\n             testing. The objective of the testing will be to provide the task force with\n             preliminary information on the current quality of the relevant data.\n\n\n\n\n                                                                                   12\n\x0c                                                                                                                                                   APPENDIX II\n\n                                                                                                     Expected     Documentation That                  Management\n Rec.                                                                                               Completion     Will Confirm Final      Monetary    Decision:\nNumber           Corrective Action: Taken or Planned / Status                                          Date               Action           Benefits    Yes or No\n         Management agreed with the finding and recommendation.                                      3/31/00     Written criteria that      N/A          Yes\n  2                                                                                                              illustrate data\n         The DRR task force will adopt this recommendation or another approach which is                          integrity processes\n         acceptable to the OIG.                                                                                  are focusing on\n                                                                                                                 dynamic data and\n                                                                                                                 large-dollar assets.\n         Management agreed with the finding and recommendation.                                      3/31/00     DRR directive or            N/A         Yes\n 3                                                                                                               policy memo that\n         Pending the finalization of the corporate policy related to data stewardship, DRR                       defines the roles and\n         will develop an interim program which will include defining the roles and                               responsibilities of\n         responsibilities for data stewards or their functional equivalent.                                      data stewards in\n                                                                                                                 DRR.\n\n\n         Management agreed with the finding and recommendation.                                      6/30/00     Results of initial data     N/A         Yes\n                                                                                                                 integrity testing by\n 4\n         The Office of Internal Review will implement independent testing that will be a part                    IR.\n         of the interim data integrity program.\n\n         Management agreed with the finding and recommendation.                                      3/31/00     Management\xe2\x80\x99s                N/A         Yes\n 5                                                                                                               response to the draft\n         DRR will establish a process to identify causes of excessive systemic errors. The                       report.\n         process will focus on cost-effective remedies. If excessive errors are identified, DRR\n         will develop a cost-effective, corrective action plan to correct the cause of the error.\n\n\n\n\n                                                                               13\n\x0c"